|
OLD | NEW |
---|---|
(Empty) | |
1 /* This Source Code Form is subject to the terms of the Mozilla Public | |
2 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
4 /* $Id: gsm.c,v 1.27 2012/04/25 14:49:43 gerv%gerv.net Exp $ */ | |
5 | |
6 #ifdef FREEBL_NO_DEPEND | |
7 #include "stubs.h" | |
8 #endif | |
9 #include "blapii.h" | |
10 #include "blapit.h" | |
11 #include "gcm.h" | |
12 #include "ctr.h" | |
13 #include "secerr.h" | |
14 #include "prtypes.h" | |
15 #include "pkcs11t.h" | |
16 | |
17 /************************************************************************** | |
18 * First inplement the Galios hash function of GCM (gcmHash) * | |
19 **************************************************************************/ | |
20 #define GCM_HASH_LEN_LEN 8 /* gcm hash defines lengths to be 64 bits */ | |
21 | |
22 typedef struct gcmHashContextStr gcmHashContext; | |
23 | |
24 SECStatus gcmHash_Init(gcmHashContext *hash, const unsigned char *H, | |
25 unsigned int blocksize); | |
26 void gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit); | |
27 SECStatus gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, | |
28 unsigned int len, unsigned int blocksize); | |
29 SECStatus gmcHash_Sync(gcmHashContext *ghash, unsigned int blocksize); | |
30 SECStatus gcmHash_Final(gcmHashContext *gcm, unsigned char *outbuf, | |
31 unsigned int *outlen, unsigned int maxout, | |
32 unsigned int blocksize); | |
33 SECStatus gcmHash_Reset(gcmHashContext *ghash, const unsigned char *inbuf, | |
34 unsigned int inbufLen, unsigned int blocksize); | |
35 | |
36 | |
37 /* compile time defines to select how the GF2 multiply is calculated. | |
38 * There are currently 2 algorithms implemented here: MPI and ALGORITHM_1. | |
39 * | |
40 * MPI uses the GF2m implemented in mpi to support GF2 ECC. | |
41 * ALGORITHM_1 is the Algorithm 1 in both NIST SP 800-38D and | |
42 * "The Galois/Counter Mode of Operation (GCM)", McGrew & Viega. | |
43 */ | |
44 #if !defined(GCM_USE_ALGORITHM_1) && !defined(GCM_USE_MPI) | |
45 #define GCM_USE_MPI 1 /* MPI is about 5x faster with the | |
46 * same or less complexity. It's possible to use | |
47 * tables to speed things up even more */ | |
Ryan Sleevi
2012/09/11 19:34:30
PCLMULQDQ was the AES-NI instruction that provides
rjrejyea
2012/09/19 22:12:29
On 2012/09/11 19:34:30, Ryan Sleevi wrote:
It may
| |
48 #endif | |
49 | |
50 /* GCM defines the bit string to be LSB first, which is exactly | |
51 * opposite everyone else, including hardware. build array | |
52 * to reverse everything. */ | |
53 static const unsigned char gcm_byte_rev[256] = { | |
54 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, | |
55 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, | |
56 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, | |
57 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, | |
58 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, | |
59 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, | |
60 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, | |
61 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, | |
62 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, | |
63 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, | |
64 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, | |
65 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, | |
66 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, | |
67 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, | |
68 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, | |
69 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, | |
70 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, | |
71 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, | |
72 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, | |
73 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, | |
74 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, | |
75 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, | |
76 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, | |
77 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, | |
78 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, | |
79 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, | |
80 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, | |
81 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, | |
82 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, | |
83 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, | |
84 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, | |
85 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff | |
86 }; | |
87 | |
88 | |
89 #ifdef GCM_TRACE | |
90 #include "stdio.h" | |
91 #endif | |
92 | |
93 #ifdef GCM_TRACE | |
94 #define GCM_TRACE_X(ghash,label) { \ | |
95 unsigned char _X[MAX_BLOCK_SIZE]; int i; \ | |
96 gcm_getX(ghash, _X, blocksize); \ | |
97 printf(label,(ghash)->m); \ | |
98 for (i=0; i < blocksize; i++) printf("%02x",_X[i]); \ | |
99 printf("\n"); } | |
100 #define GCM_TRACE_BLOCK(label,buf,blocksize) {\ | |
101 printf(label); \ | |
102 for (i=0; i < blocksize; i++) printf("%02x",buf[i]); \ | |
103 printf("\n"); } | |
104 #else | |
105 #define GCM_TRACE_X(ghash,label) | |
106 #define GCM_TRACE_BLOCK(label,buf,blocksize) | |
107 #endif | |
108 #ifdef GCM_USE_MPI | |
109 | |
110 #ifdef GCM_USE_ALGORTHM_1 | |
111 #error "Only define one of GCM_USE_MPI, GCM_USE_ALGORITHM_1" | |
112 #endif | |
113 /* use the MPI functions go calculage Xn = (Xn-1^C_i)*H mod poly */ | |
114 #include "mpi.h" | |
115 #include "secmpi.h" | |
116 #include "mplogic.h" | |
117 #include "mp_gf2m.h" | |
118 | |
119 /* state need to handle GCM Hash function */ | |
120 struct gcmHashContextStr { | |
121 mp_int H; | |
122 mp_int X; | |
123 mp_int C_i; | |
124 unsigned int *poly; | |
125 unsigned long cLen; | |
126 unsigned char buffer[MAX_BLOCK_SIZE]; | |
127 int bufLen; | |
128 int m; | |
129 unsigned char counterBuf[2*GCM_HASH_LEN_LEN]; | |
130 }; | |
131 | |
132 | |
Ryan Sleevi
2012/09/11 19:34:30
nit: spare newline?
| |
133 /* f = x^128 + x^7 + x^2 + x + 1 */ | |
134 static unsigned int poly_128[] = { 128, 7, 2, 1, 0 }; | |
135 /* f = x^64 + x^4 + x^3 + x + 1 */ | |
136 static unsigned int poly_64[] = { 64, 4, 3, 1, 0 }; | |
137 | |
138 /* sigh, GCM defines the bit strings exactly backwards from everything else */ | |
139 static void | |
140 gcm_reverse(unsigned char *target, const unsigned char *src, | |
Ryan Sleevi
2012/09/11 19:34:30
The Intel documentation points out (in Algorithm 5
| |
141 unsigned int blocksize) | |
142 { | |
143 int i; | |
144 for (i=0; i < blocksize; i++) { | |
145 target[blocksize-i-1] = gcm_byte_rev[src[i]]; | |
146 } | |
147 } | |
148 | |
149 /* Initialize a gcmHashContext */ | |
150 SECStatus | |
151 gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, | |
152 unsigned int blocksize) | |
153 { | |
154 mp_err err = MP_OKAY; | |
155 unsigned char H_rev[MAX_BLOCK_SIZE]; | |
156 | |
157 MP_DIGITS(&ghash->H) = 0; | |
158 MP_DIGITS(&ghash->X) = 0; | |
159 MP_DIGITS(&ghash->C_i) = 0; | |
160 CHECK_MPI_OK( mp_init(&ghash->H) ); | |
161 CHECK_MPI_OK( mp_init(&ghash->X) ); | |
162 CHECK_MPI_OK( mp_init(&ghash->C_i) ); | |
163 | |
164 mp_zero(&ghash->X); | |
165 gcm_reverse(H_rev, H, blocksize); | |
166 CHECK_MPI_OK( mp_read_unsigned_octets(&ghash->H, H_rev, blocksize) ); | |
167 | |
168 /* set the irreducible polynomial. Each blocksize has it's own polynommial | |
169 * for now only blocksizes 16 (=128 bits) and 8 (=64 bits) are defined */ | |
170 switch (blocksize) { | |
171 case 16: /* 128 bits */ | |
172 ghash->poly = poly_128; | |
173 break; | |
174 case 8: /* 64 bits */ | |
175 ghash->poly = poly_64; | |
176 break; | |
177 default: | |
178 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
179 goto cleanup; | |
180 } | |
181 ghash->cLen = 0; | |
182 ghash->bufLen = 0; | |
183 ghash->m = 0; | |
184 PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf)); | |
185 return SECSuccess; | |
186 cleanup: | |
187 mp_clear(&ghash->H); | |
188 mp_clear(&ghash->X); | |
189 mp_clear(&ghash->C_i); | |
190 MP_DIGITS(&ghash->H) = 0; | |
191 MP_DIGITS(&ghash->X) = 0; | |
192 MP_DIGITS(&ghash->C_i) = 0; | |
193 return SECFailure; | |
194 } | |
195 | |
196 /* Destroy a HashContext (Note we zero the digits so this function | |
197 * is idempotent if called with freeit == PR_FALSE */ | |
198 void | |
199 gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit) | |
200 { | |
201 mp_clear(&ghash->H); | |
202 mp_clear(&ghash->X); | |
203 mp_clear(&ghash->C_i); | |
204 MP_DIGITS(&ghash->H) = 0; | |
205 MP_DIGITS(&ghash->X) = 0; | |
206 MP_DIGITS(&ghash->C_i) = 0; | |
207 if (freeit) { | |
208 PORT_Free(ghash); | |
209 } | |
210 } | |
211 | |
212 | |
Ryan Sleevi
2012/09/11 19:34:30
nit: spare newline?
| |
213 static SECStatus | |
214 gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize) | |
215 { | |
216 int len; | |
217 mp_err err; | |
218 unsigned char tmp_buf[MAX_BLOCK_SIZE]; | |
219 unsigned char *X; | |
220 | |
221 len = mp_unsigned_octet_size(&ghash->X); | |
222 X = tmp_buf; | |
223 PORT_Assert(len <= blocksize); | |
224 if (len > blocksize) { | |
225 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
226 return SECFailure; | |
227 } | |
228 /* zero pad the result */ | |
229 if (len != blocksize) { | |
230 PORT_Memset(X,0,blocksize-len); | |
231 X += blocksize-len; | |
232 } | |
233 | |
234 err = mp_to_unsigned_octets(&ghash->X, X, len); | |
235 if (err < 0) { | |
236 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); | |
237 return SECFailure; | |
238 } | |
239 gcm_reverse(T, X, blocksize); | |
240 return SECSuccess; | |
241 } | |
242 static SECStatus | |
Ryan Sleevi
2012/09/11 19:34:30
nit: add newline
| |
243 gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf, | |
244 unsigned int count, unsigned int blocksize) | |
245 { | |
246 SECStatus rv = SECFailure; | |
247 mp_err err = MP_OKAY; | |
248 unsigned char tmp_buf[MAX_BLOCK_SIZE]; | |
249 int i; | |
250 | |
251 for (i=0; i < count; i++, buf += blocksize) { | |
252 ghash->m++; | |
253 gcm_reverse(tmp_buf, buf, blocksize); | |
254 CHECK_MPI_OK(mp_read_unsigned_octets(&ghash->C_i, tmp_buf, blocksize)); | |
255 CHECK_MPI_OK(mp_badd(&ghash->X, &ghash->C_i, &ghash->C_i)); | |
256 /* | |
257 * Looking to speed up GCM, this the the place to do it. | |
258 * There are two areas that can be exploited to speed up this code. | |
259 * | |
260 * 1) H is a constant in this multiply. We can precompute H * (0 - 255) | |
261 * at init time and this becomes an blockize xors of our table lookup. | |
262 * | |
263 * 2) poly is a constant for each blocksize. We can calculate the | |
264 * modulo reduction by a serious of adds and shifts. | |
265 * | |
266 * For now we are after functionality, so we will go ahead and use | |
267 * the bultin bmulmod fro mpl | |
Ryan Sleevi
2012/09/11 19:34:30
s/bultin/builtin
s/fro/from
| |
268 */ | |
269 CHECK_MPI_OK(mp_bmulmod(&ghash->C_i, &ghash->H, | |
270 ghash->poly, &ghash->X)); | |
271 GCM_TRACE_X(ghash, "X%d = ") | |
272 } | |
273 rv = SECSuccess; | |
274 cleanup: | |
275 return rv; | |
276 } | |
277 | |
278 | |
Ryan Sleevi
2012/09/11 19:34:30
nit: spare newline?
| |
279 void | |
280 gcm_zeroX(gcmHashContext *ghash) | |
281 { | |
282 mp_zero(&ghash->X); | |
283 ghash->m = 0;; | |
Ryan Sleevi
2012/09/12 00:22:47
nit: extra ;
| |
284 } | |
285 | |
286 #endif | |
287 #ifdef GCM_USE_ALGORITHM_1 | |
288 /* use algorithm 1 of McGree & Viega "The Galois/Counter Mode of Operation" */ | |
Ryan Sleevi
2012/09/11 19:34:30
s/McGree/McGrew
| |
289 | |
290 #define GCM_ARRAY_SIZE (MAX_BLOCK_SIZE/sizeof(unsigned long)) | |
291 | |
292 struct gcmHashContextStr { | |
293 unsigned long H[GCM_ARRAY_SIZE]; | |
294 unsigned long X[GCM_ARRAY_SIZE]; | |
295 unsigned long R; | |
296 unsigned long cLen; | |
297 unsigned char buffer[MAX_BLOCK_SIZE]; | |
298 int bufLen; | |
299 int m; | |
300 unsigned char counterBuf[2*GCM_HASH_LEN_LEN]; | |
301 }; | |
302 | |
303 void | |
304 gcm_bytes_to_longs(unsigned long *l, const unsigned char *c, unsigned int len) | |
305 { | |
306 int i,j; | |
307 int array_size = len/sizeof(unsigned long); | |
308 | |
309 PORT_Assert(len % sizeof(unsigned long) == 0); | |
310 for (i=0; i < array_size; i++) { | |
311 unsigned long tmp = 0; | |
312 int byte_offset = i * sizeof(unsigned long); | |
313 for (j=sizeof(unsigned long)-1; j >= 0; j--) { | |
314 tmp = (tmp << BITS_PER_BYTE) | gcm_byte_rev[c[byte_offset+j]]; | |
315 } | |
316 l[i] = tmp; | |
317 } | |
318 } | |
319 | |
320 void | |
321 gcm_longs_to_bytes(const unsigned long *l, unsigned char *c, unsigned int len) | |
322 { | |
323 int i,j; | |
324 int array_size = len/sizeof(unsigned long); | |
325 | |
326 PORT_Assert(len % sizeof(unsigned long) == 0); | |
327 for (i=0; i < array_size; i++) { | |
328 unsigned long tmp = l[i]; | |
329 int byte_offset = i * sizeof(unsigned long); | |
330 for (j=0 ; j < sizeof(unsigned long); j++) { | |
331 c[byte_offset+j] = gcm_byte_rev[tmp & 0xff]; | |
332 tmp = (tmp >> BITS_PER_BYTE); | |
333 } | |
334 } | |
335 } | |
336 | |
337 | |
338 /* Initialize a gcmHashContext */ | |
339 SECStatus | |
340 gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, | |
341 unsigned int blocksize) | |
342 { | |
343 PORT_Memset(ghash->X, 0, sizeof(ghash->X)); | |
344 PORT_Memset(ghash->H, 0, sizeof(ghash->H)); | |
345 gcm_bytes_to_longs(ghash->H, H, blocksize); | |
346 | |
347 /* set the irreducible polynomial. Each blocksize has it's own polynommial | |
348 * for now only blocksizes 16 (=128 bits) and 8 (=64 bits) are defined */ | |
349 switch (blocksize) { | |
350 case 16: /* 128 bits */ | |
351 ghash->R = (unsigned long) 0x87; /* x^7 + x^2 + x +1 */ | |
352 break; | |
353 case 8: /* 64 bits */ | |
354 ghash->R = (unsigned long) 0x1b; /* x^4 + x^3 + x + 1 */ | |
355 break; | |
356 default: | |
357 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
358 goto cleanup; | |
359 } | |
360 ghash->cLen = 0; | |
361 ghash->bufLen = 0; | |
362 ghash->m=0; | |
363 PORT_Memset(ghash->counterBuf, 0, sizeof(ghash->counterBuf)); | |
364 return SECSuccess; | |
365 cleanup: | |
366 return SECFailure; | |
367 } | |
368 | |
369 /* Destroy a HashContext (Note we zero the digits so this function | |
370 * is idempotent if called with freeit == PR_FALSE */ | |
371 void | |
372 gcmHash_DestroyContext(gcmHashContext *ghash, PRBool freeit) | |
373 { | |
374 if (freeit) { | |
375 PORT_Free(ghash); | |
376 } | |
377 } | |
378 | |
379 static void | |
380 gcm_xor(unsigned long *t, const unsigned long *x, int count) | |
381 { | |
382 int i; | |
383 for (i=0; i < count; i++) { | |
384 *t++ ^= *x++; | |
385 } | |
386 } | |
387 | |
388 #define GCM_HIGH_BIT (0x1UL << ((sizeof(unsigned long) * BITS_PER_BYTE)-1)) | |
Ryan Sleevi
2012/09/11 19:34:30
Throughout this file, you frequently have
sizeof(u
| |
389 static | |
390 unsigned long | |
391 gcm_shift_one(unsigned long *t, int count) | |
392 { | |
393 unsigned long carry = 0; | |
394 unsigned long nextcarry = 0; | |
395 int i; | |
396 for (i=0; i < count; i++) { | |
397 nextcarry = t[i] >> ((sizeof(unsigned long)*BITS_PER_BYTE)-1); | |
398 t[i] = (t[i] << 1) | carry; | |
399 carry = nextcarry; | |
400 } | |
401 return carry; | |
402 } | |
403 | |
404 static SECStatus | |
405 gcm_getX(gcmHashContext *ghash, unsigned char *T, unsigned int blocksize) | |
406 { | |
407 gcm_longs_to_bytes(ghash->X, T, blocksize); | |
408 return SECSuccess; | |
409 } | |
410 | |
411 #define GCM_XOR(t, s, len) \ | |
412 for (l=0; l < len; l++) t[l] ^= s[l] | |
Ryan Sleevi
2012/09/11 19:34:30
It's not clear why both this macro and the gcm_xor
rjrejyea
2012/09/19 22:12:29
I think the function came first and I added the ma
| |
413 static SECStatus | |
414 gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf, | |
415 unsigned int count, unsigned int blocksize) | |
416 { | |
417 unsigned long C_i[GCM_ARRAY_SIZE]; | |
418 int arraysize = blocksize/sizeof(unsigned long); | |
419 int i, j, k, l; | |
420 | |
421 for (i=0; i < count; i++, buf += blocksize) { | |
422 ghash->m++; | |
423 gcm_bytes_to_longs(C_i, buf, blocksize); | |
424 GCM_XOR(C_i, ghash->X, arraysize); | |
425 /* multiply X = C_i * H */ | |
426 PORT_Memset(ghash->X, 0, sizeof(ghash->X)); | |
427 for (j=0; j < arraysize; j++) { | |
428 unsigned long H = ghash->H[j]; | |
429 for (k=0; k < sizeof(unsigned long)*BITS_PER_BYTE; k++) { | |
430 if (H & 1) { | |
431 GCM_XOR(ghash->X, C_i, arraysize); | |
432 } | |
433 if (gcm_shift_one(C_i, arraysize)) { | |
434 C_i[0] = C_i[0] ^ ghash->R; | |
435 } | |
436 H = H >> 1; | |
437 } | |
438 } | |
439 GCM_TRACE_X(ghash, "X%d = ") | |
440 } | |
441 return SECSuccess; | |
442 } | |
443 | |
444 | |
445 void | |
446 gcm_zeroX(gcmHashContext *ghash) | |
447 { | |
448 PORT_Memset(ghash->X, 0, sizeof(ghash->X)); | |
449 ghash->m = 0; | |
450 } | |
451 #endif | |
452 | |
453 /* | |
454 * implement GCM GHASH using the freebl GHASH function. The gcm_HashMult | |
455 * function always takes blocksize lengths of data. HashUpdate will | |
Ryan Sleevi
2012/09/12 00:22:47
nit: extra space ("HashUpdate will")
| |
456 * format the data properly. | |
457 */ | |
458 SECStatus | |
459 gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, | |
460 unsigned int len, unsigned int blocksize) | |
Ryan Sleevi
2012/09/12 00:22:47
nit: Looks like alignment is incorrect here regard
| |
461 { | |
462 int blocks; | |
463 SECStatus rv; | |
464 ghash->cLen += (len*BITS_PER_BYTE); | |
465 | |
466 /* first deal with the current buffer of data. Try to fill it out so | |
467 * we can hash it */ | |
468 if (ghash->bufLen) { | |
469 int needed = PR_MIN(len, blocksize - ghash->bufLen); | |
470 PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed); | |
Ryan Sleevi
2012/09/12 00:22:47
nit: Throughout this file, it seems to alter incon
rjrejyea
2012/09/19 22:12:29
The most common reason for contracting is to preve
| |
471 buf += needed; | |
472 len -= needed; | |
473 ghash->bufLen += needed; | |
474 if (len == 0) { | |
475 /* didn't add enough to hash the data, nothing more do do */ | |
476 return SECSuccess; | |
477 } | |
478 /* hash the buffer and clear it */ | |
479 rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize); | |
480 PORT_Memset(ghash->buffer, 0, blocksize); | |
481 ghash->bufLen = 0; | |
482 if (rv != SECSuccess) { | |
483 return SECFailure; | |
484 } | |
485 } | |
486 /* now hash any full blocks remaining in the data stream */ | |
487 blocks = len/blocksize; | |
488 if (blocks) { | |
489 rv = gcm_HashMult(ghash, buf, blocks, blocksize); | |
490 if (rv != SECSuccess) { | |
491 return SECFailure; | |
492 } | |
493 buf += blocks*blocksize; | |
494 len -= blocks*blocksize; | |
495 if (len == 0) { | |
496 return SECSuccess; | |
497 } | |
498 } | |
499 | |
500 /* save any remainder in the buffer to be hashed with the next call */ | |
501 PORT_Memcpy(ghash->buffer, buf, len); | |
502 ghash->bufLen = len; | |
503 return SECSuccess; | |
504 } | |
505 | |
506 /* | |
507 * write out any partial blocks zero padded through the GHASH engine, | |
508 * save the lengths for the final completion of the hash | |
509 */ | |
510 SECStatus | |
511 gcmHash_Sync(gcmHashContext *ghash, unsigned int blocksize) | |
512 { | |
513 int i; | |
514 SECStatus rv; | |
515 | |
516 /* copy the previous counter to the upper block */ | |
517 memcpy(ghash->counterBuf, &ghash->counterBuf[GCM_HASH_LEN_LEN], | |
Ryan Sleevi
2012/09/12 00:22:47
BUG? PORT_Memcpy
rjrejyea
2012/09/19 22:12:29
yes
| |
518 GCM_HASH_LEN_LEN); | |
519 /* copy the current counter in the lower block */ | |
520 for (i=0; i < GCM_HASH_LEN_LEN; i++) { | |
521 ghash->counterBuf[GCM_HASH_LEN_LEN+i] = | |
522 (ghash->cLen >> ((GCM_HASH_LEN_LEN-1-i)*BITS_PER_BYTE)) & 0xff; | |
523 } | |
524 ghash->cLen = 0; | |
Ryan Sleevi
2012/09/12 00:22:47
It's not clear to me why this counter work happens
wtc
2012/09/14 01:16:42
I bet rrelyea implemented the original GHASH funct
| |
525 | |
526 /* now zero fill the buffer and hash the last block */ | |
527 if (ghash->bufLen) { | |
528 PORT_Memset(ghash->buffer+ghash->bufLen, 0, blocksize - ghash->bufLen); | |
529 rv = gcm_HashMult(ghash, ghash->buffer, 1, blocksize); | |
530 PORT_Memset(ghash->buffer, 0, blocksize); | |
531 ghash->bufLen = 0; | |
532 if (rv != SECSuccess) { | |
533 return SECFailure; | |
534 } | |
535 } | |
536 return SECSuccess; | |
537 } | |
538 | |
539 /* | |
540 * This does the final since, hashes the lengths, then returns | |
Ryan Sleevi
2012/09/12 00:22:47
"final since" ?
| |
541 * "T", the hashed output. | |
542 */ | |
543 SECStatus | |
544 gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf, | |
545 unsigned int *outlen, unsigned int maxout, | |
546 unsigned int blocksize) | |
547 { | |
548 unsigned char T[MAX_BLOCK_SIZE]; | |
549 SECStatus rv; | |
550 | |
551 rv = gcmHash_Sync(ghash, blocksize); | |
552 if (rv != SECSuccess) { | |
553 return SECFailure; | |
554 } | |
555 | |
556 rv = gcm_HashMult(ghash, ghash->counterBuf, (GCM_HASH_LEN_LEN*2)/blocksize, | |
557 blocksize); | |
558 if (rv != SECSuccess) { | |
559 return SECFailure; | |
560 } | |
561 | |
562 GCM_TRACE_X(ghash, "GHASH(H,A,C) = ") | |
563 | |
564 rv = gcm_getX(ghash, T, blocksize); | |
565 if (rv != SECSuccess) { | |
566 return SECFailure; | |
567 } | |
568 | |
569 if (maxout > blocksize) maxout = blocksize; | |
570 PORT_Memcpy(outbuf, T, maxout); | |
571 *outlen = maxout; | |
572 return SECSuccess; | |
573 } | |
574 | |
575 SECStatus | |
576 gcmHash_Reset(gcmHashContext *ghash, const unsigned char *AAD, | |
577 unsigned int AADLen, unsigned int blocksize) | |
Ryan Sleevi
2012/09/12 00:22:47
nit: suggest instead of "AAD" this could be called
| |
578 { | |
579 SECStatus rv; | |
580 | |
581 ghash->cLen = 0; | |
582 PORT_Memset(ghash->counterBuf, 0, GCM_HASH_LEN_LEN*2); | |
583 ghash->bufLen = 0; | |
584 gcm_zeroX(ghash); | |
585 | |
586 /* now kick things off by hashing the Additional Authentication Data */ | |
587 if (AADLen != 0) { | |
588 rv =gcmHash_Update(ghash, AAD, AADLen, blocksize); | |
Ryan Sleevi
2012/09/12 00:22:47
nit: rv = gcmHash_Update
| |
589 if (rv != SECSuccess) { | |
590 return SECFailure; | |
591 } | |
592 rv = gcmHash_Sync(ghash, blocksize); | |
Ryan Sleevi
2012/09/12 00:22:47
In reading this, I actually found the naming here
| |
593 if (rv != SECSuccess) { | |
594 return SECFailure; | |
595 } | |
596 } | |
597 return SECSuccess; | |
598 } | |
599 | |
600 /* state to handle the full GCM operation (hash and counter) */ | |
601 struct GCMContextStr { | |
602 gcmHashContext ghash_context; | |
603 CTRContext ctr_context; | |
604 unsigned long tagBits; | |
605 unsigned char tagKey[MAX_BLOCK_SIZE]; | |
606 }; | |
607 | |
608 /************************************************************************** | |
609 * Now Inplement the GCM using gcmHash and CTR * | |
Ryan Sleevi
2012/09/12 00:22:47
nit: implement (typo and cap)
| |
610 **************************************************************************/ | |
611 GCMContext * | |
612 GCM_CreateContext(void *context, freeblCipherFunc cipher, | |
613 const unsigned char *params, unsigned int blocksize) | |
614 { | |
615 GCMContext *gcm = NULL; | |
616 gcmHashContext *ghash; | |
617 unsigned char H[MAX_BLOCK_SIZE]; | |
618 unsigned int tmp; | |
619 PRBool freeCtr = PR_FALSE; | |
620 PRBool freeHash = PR_FALSE; | |
Ryan Sleevi
2012/09/12 00:22:47
nit: s/ / /
| |
621 const CK_AES_GCM_PARAMS *gcmParams = (const CK_AES_GCM_PARAMS *)params; | |
622 CK_AES_CTR_PARAMS ctrParams; | |
623 SECStatus rv; | |
624 | |
625 gcm = PORT_ZNew(GCMContext); | |
626 if (gcm == NULL) { | |
627 return NULL; | |
628 } | |
629 /* first fill in the ghash context */ | |
630 ghash = &gcm->ghash_context; | |
631 PORT_Memset(H, 0, blocksize); | |
632 rv = (*cipher)(context, H, &tmp, blocksize, H, blocksize, blocksize); | |
633 if (rv != SECSuccess) { | |
634 goto loser; | |
635 } | |
636 rv = gcmHash_InitContext(ghash, H, blocksize); | |
637 if (rv != SECSuccess) { | |
638 goto loser; | |
639 } | |
640 freeHash = PR_TRUE; | |
641 | |
642 /* fill in the Counter context */ | |
643 ctrParams.ulCounterBits = 32; | |
644 PORT_Memset(ctrParams.cb, 0, sizeof(ctrParams.cb)); | |
645 if ((blocksize == 8) && (gcmParams->ulIvLen == 4)) { | |
646 PORT_Memcpy(&ctrParams.cb[4], gcmParams->pIv, gcmParams->ulIvLen); | |
Ryan Sleevi
2012/09/12 00:22:47
Isn't there an endianness concern here?
wtc
2012/09/14 01:16:42
No. Endianness only applies to the final 32 bits o
| |
647 } else if ((blocksize == 16) && (gcmParams->ulIvLen == 12)) { | |
648 PORT_Memcpy(ctrParams.cb, gcmParams->pIv, gcmParams->ulIvLen); | |
649 ctrParams.cb[blocksize-1] = 1; | |
650 } else { | |
651 rv = gcmHash_Update(ghash, gcmParams->pIv, | |
652 gcmParams->ulIvLen, blocksize); | |
Ryan Sleevi
2012/09/12 00:22:47
nit: weird line breaking here (I would have expect
rjrejyea
2012/09/19 22:12:29
Line isn't long enough to handle the full length.
| |
653 if (rv != SECSuccess) { | |
654 goto loser; | |
655 } | |
656 rv = gcmHash_Final(ghash, ctrParams.cb, &tmp, blocksize, blocksize); | |
Ryan Sleevi
2012/09/12 00:22:47
BUG: Worth noting here that, at this time, there h
| |
657 if (rv != SECSuccess) { | |
658 goto loser; | |
659 } | |
660 } | |
661 rv = CTR_InitContext(&gcm->ctr_context, context, cipher, | |
662 (unsigned char *)&ctrParams, blocksize); | |
663 if (rv != SECSuccess) { | |
664 goto loser; | |
665 } | |
666 freeCtr = PR_TRUE; | |
667 | |
668 /* fill int the gcm structure */ | |
Ryan Sleevi
2012/09/12 00:22:47
typo: fill in the
| |
669 gcm->tagBits = gcmParams->ulTagBits; /* save for final step */ | |
670 /* calculate the final tag key. NOTE:gcm->tagKey is zero to start with | |
Ryan Sleevi
2012/09/12 00:22:47
typo: NOTE: gcm->tagKey
suggest breaking on to a
| |
671 * if this assumption changes, we would need to explicitly clear it here */ | |
672 rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, blocksize, | |
673 gcm->tagKey, blocksize, blocksize); | |
674 if (rv != SECSuccess) { | |
675 goto loser; | |
676 } | |
677 | |
678 /* finally mix in the AAD data */ | |
679 rv = gcmHash_Reset(ghash,gcmParams->pAAD, gcmParams->ulAADLen, blocksize); | |
Ryan Sleevi
2012/09/12 00:22:47
nit: ghash, gcmParams->pAAD
| |
680 if (rv != SECSuccess) { | |
681 goto loser; | |
682 } | |
683 | |
684 return gcm; | |
685 | |
686 loser: | |
687 if (freeCtr) { | |
688 CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); | |
689 } | |
690 if (freeHash) { | |
691 gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE); | |
692 } | |
693 if (gcm) { | |
694 PORT_Free(gcm); | |
695 } | |
696 return NULL; | |
697 } | |
698 | |
699 void | |
700 GCM_DestroyContext(GCMContext *gcm, PRBool freeit) | |
701 { | |
702 /* these two are statically allocated and will be freed when we free | |
703 * gcm. call their destroy functions to free up any locally | |
704 * allocated data (like mp_int's) */ | |
705 CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); | |
706 gcmHash_DestroyContext(&gcm->ghash_context, PR_FALSE); | |
707 if (freeit) { | |
708 PORT_Free(gcm); | |
709 } | |
710 } | |
711 | |
712 SECStatus | |
713 gcm_GetTag(GCMContext *gcm, unsigned char *outbuf, | |
714 unsigned int *outlen, unsigned int maxout, | |
715 unsigned int blocksize) | |
716 { | |
717 int tagBytes = (gcm->tagBits + (BITS_PER_BYTE-1)) / BITS_PER_BYTE; | |
718 int extra = tagBytes*BITS_PER_BYTE - gcm->tagBits; | |
719 int i; | |
720 SECStatus rv; | |
721 | |
722 if (outbuf == NULL) { | |
723 *outlen = tagBytes; | |
724 PORT_SetError(SEC_ERROR_OUTPUT_LEN); | |
725 return SECFailure; | |
726 } | |
727 | |
728 if (maxout < tagBytes) { | |
729 *outlen = tagBytes; | |
730 PORT_SetError(SEC_ERROR_OUTPUT_LEN); | |
731 return SECFailure; | |
732 } | |
733 maxout = tagBytes; | |
734 rv = gcmHash_Final(&gcm->ghash_context, outbuf, outlen, maxout, blocksize); | |
735 if (rv != SECSuccess) { | |
736 return SECFailure; | |
737 } | |
738 | |
739 GCM_TRACE_BLOCK("GHASH=", outbuf, blocksize); | |
740 GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize); | |
741 for (i=0; i < *outlen; i++) { | |
742 outbuf[i] = outbuf[i] ^ gcm->tagKey[i]; | |
743 } | |
744 GCM_TRACE_BLOCK("Y0=", gcm->tagKey, blocksize); | |
745 GCM_TRACE_BLOCK("T=", outbuf, blocksize); | |
746 /* mask of any extra bits we got */ | |
747 if (extra) { | |
748 outbuf[tagBytes-1] &= ~ ((1<< extra) -1); | |
Ryan Sleevi
2012/09/12 00:22:47
nit: ((1 << extra) - 1)
| |
749 } | |
750 return SECSuccess; | |
751 } | |
752 | |
753 | |
754 /* | |
755 * See The Galois/Counter Mode of Operation, McGrew and Viega. | |
756 * GCM is basically counter mode with a specific initialization and | |
757 * built in macing operation. | |
758 */ | |
759 SECStatus | |
760 GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf, | |
761 unsigned int *outlen, unsigned int maxout, | |
762 const unsigned char *inbuf, unsigned int inlen, | |
763 unsigned int blocksize) | |
764 { | |
765 SECStatus rv; | |
766 int tagBytes = (gcm->tagBits + (BITS_PER_BYTE-1)) / BITS_PER_BYTE; | |
767 unsigned int len; | |
768 | |
769 if (maxout < inlen + tagBytes) { | |
Ryan Sleevi
2012/09/12 00:22:47
nit: While unlikely, I'm nervous about this from a
| |
770 PORT_SetError(SEC_ERROR_OUTPUT_LEN); | |
771 return SECFailure; | |
772 } | |
773 | |
774 rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, | |
775 inbuf, inlen, blocksize); | |
776 if (rv != SECSuccess) { | |
777 return SECFailure; | |
778 } | |
779 rv = gcmHash_Update(&gcm->ghash_context, outbuf, *outlen, blocksize); | |
780 if (rv != SECSuccess) { | |
781 PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */ | |
782 *outlen = 0; | |
783 return SECFailure; | |
784 } | |
785 rv = gcm_GetTag(gcm, outbuf + *outlen, &len, maxout - *outlen, blocksize); | |
786 if (rv != SECSuccess) { | |
787 PORT_Memset(outbuf, 0, *outlen); /* clear the output buffer */ | |
788 *outlen = 0; | |
789 return SECFailure; | |
790 }; | |
791 *outlen += len; | |
792 return SECSuccess; | |
793 } | |
794 | |
795 /* | |
796 * See The Galois/Counter Mode of Operation, McGrew and Viega. | |
797 * GCM is basically counter mode with a specific initialization and | |
798 * built in macing operation. NOTE: the only difference between Encrypt | |
799 * and Decrypt is when we calculate the mac. That is because the mac must | |
800 * always be calculated on the cipher text, not the plain text, so for | |
801 * encrypt, we do the CTR update first and for decrypt we do the mac first. | |
802 */ | |
803 SECStatus | |
804 GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, | |
805 unsigned int *outlen, unsigned int maxout, | |
806 const unsigned char *inbuf, unsigned int inlen, | |
807 unsigned int blocksize) | |
808 { | |
809 SECStatus rv; | |
810 int tagBytes = (gcm->tagBits + (BITS_PER_BYTE-1)) / BITS_PER_BYTE; | |
811 unsigned char tag[MAX_BLOCK_SIZE]; | |
812 const unsigned char *intag ; | |
813 unsigned int len; | |
814 | |
815 /* get the authentication block */ | |
816 if (inlen < tagBytes) { | |
817 PORT_SetError(SEC_ERROR_INVALID_ARGS); | |
818 return SECFailure; | |
819 } | |
820 | |
821 inlen -= tagBytes; | |
822 intag = inbuf + inlen; | |
823 | |
824 /* verify the block */ | |
825 rv = gcmHash_Update(&gcm->ghash_context, inbuf, inlen, blocksize); | |
826 if (rv != SECSuccess) { | |
827 return SECFailure; | |
828 } | |
829 rv = gcm_GetTag(gcm, tag, &len, blocksize, blocksize); | |
830 if (rv != SECSuccess) { | |
831 return SECFailure; | |
832 } | |
833 /* Don't decrypt if we can't authenticate the encrypted data! | |
834 * This assumes that if tagBits is not a multiple of 8, intag will | |
835 * preserve the masked off missing bits. */ | |
836 if (PORT_Memcmp(tag, intag, tagBytes) != 0) { | |
Ryan Sleevi
2012/09/12 00:22:47
SECURITY BUG: NSS's SSL layer uses NSS_SecureMemcm
| |
837 /* force a CRK_ENCRYPTED_DATA_INVALID error at in softoken */ | |
838 PORT_SetError(SEC_ERROR_BAD_DATA); | |
839 return SECFailure; | |
840 } | |
841 /* finish the decryption */ | |
842 return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, | |
843 inbuf, inlen, blocksize); | |
844 } | |
OLD | NEW |